Back to blog

Fintech Regulation: Guide to Financial Regulation for Fintech Entrepreneurs in the US


13 min read

The fintech regulation in the US is extremely complex. While the United States does not currently have a “fintech-specific” regulatory framework in place, the activities of fintech businesses will very certainly come within the jurisdiction of many regulators, requiring registration with and compliance with at least one of those agencies.

The situation is made more difficult by the fact that fintech businesses will be subject to a financial regulator in the US at both a federal and state level. Even fintechs offering relatively simple products or services will likely have to secure licenses from multiple federal and state regulators, and comply with the requirements set out by those bodies.

Compliance should be a top-level priority for any fintech business looking to operate in the US. In this article we’ve compiled lists of some of the fintech rules and regulations in the US. However, it is crucial to remember that every business will be subject to specific regulatory requirements; it is therefore vitally important that fintechs seek independent legal counsel before taking any decisions. Please note that this article is not intended to constitute legal advice of any kind. Always seek independent counsel.

How are Fintech Companies Regulated?

The most serious difficulties confronting global fintech regulation are those arising from attempting to adapt new financial technologies inside the framework of the current regulatory structure. E-wallets and virtual currencies are two examples of new payment systems that operate outside of traditional banking restrictions. They need completely new restrictions. While laws take time to design and implement, fintech continues to produce innovative new products. This implies that the legal basis for providing fintech services in a particular country is not always crystal clear.

The United States is home to the vast bulk of worldwide fintech efforts. There are 7,385 fintech businesses, more than in Europe, Africa, and the Middle East combined. Despite the industry’s spectacular ascent, the United States has failed to establish a nationwide regulatory framework for financial technology, leaving fintech firms to follow the norms of individual states. The procedure of obtaining the authorizations needed to sell or supply services in the United States has become a huge pain and time drain for new firms.

Still, there is regulation you shall comply with when starting a new fintech company in the USA.

Who Regulates Fintech Companies?

Some of the most important regulatory bodies in the United States for the fintech industry are

  • the Federal Deposit Insurance Corporation (FDIC),
  • Office of the Comptroller of the Currency (OCC),
  • Securities and Exchange Commission (SEC),
  • Commodity Futures Trading Commission (CFTC),
  • Consumer Financial Protection Bureau (CFPB),
  • Financial Crimes Enforcement Network (FinCEN),
  • and Financial Industry Regulatory Authority (FINRA).

Furthermore, every fintech company is required to follow a set of regulations.

  • The US AML guidelines,
  • the USA PATRIOT Act,
  • the UK Financial Services Modernization Act,

and others are examples of such laws and regulations. Similarly, the United States intends to offer a unified regulatory framework for Fintech in the near future. As a consequence, accessing the US market will be easier for Fintech companies that do not need to get licenses in each state.

Fintech regulators in the US

How tough are fintech companies regulated in the US? There is a wide range of regulatory bodies that may govern the activities of fintech businesses operating in the States. Some cover a broad variety of acts, whilst others are more narrowly focused.

The following is a (non-exhaustive) list of the key US regulators with which fintechs may have to register and comply.

Federal Trade Commission (FTC)

A guide to financial regulation for fintech entrepreneurs in USA begins with the FTC. It is responsible for tackling “anticompetitive, unfair, or deceptive” practices amongst businesses that offer services to consumers. The corporation has also created a vast set of regulatory standards for US-based businesses to follow, including privacy and data protection regulations.

Consumer Financial Protection Bureau (CFPB)

The CFPB regulates financial services offered to consumers. It also enforces rules against generally unfair or deceptive commercial practices.

Federal Deposit Insurance Corporation (FDIC)

The FDIC manages the US deposit protection scheme, which protects deposits up to $250,000 per depositor. Fintech firms regulated by it are not members of the Federal Reserve Scheme.

Securities and Exchange Commission (SEC)

The SEC regulates the US securities market. It has jurisdiction over businesses including securities exchanges, brokers, and dealers; investment advisors; and mutual funds.

Commodity Futures Trading Commission (CFTC)

The CFTC regulates the US commodities markets, and has jurisdiction over businesses such as trading organizations and intermediaries.

Office of the Comptroller of the Currency (OCC)

The OCC regulates national banks, but in 2018 it announced that it would also begin creating some charters on fintech law and banking regulation in the USA. The charter is only available to financial technology businesses that accept deposits, issue checks, or make loans. After receiving the charter, the fintech firm will be subject to the same restrictions as national banks.

Financial Crimes Enforcement Network (FinCEN)

FinCEN is responsible for enforcing the US Anti-Money Laundering (AML) regulations. It sets the terms of AML compliance and fintech securities regulation amongst financial companies, and collects and shares information with other agencies.

Financial Industry Regulatory Authority (FINRA)

FINRA regulates businesses offering investment activities, including crowdfunding. Crowdfunding sites must also be registered with the SEC and FINRA.

Industry associations

As well as being subject to federal and state regulation, another important regulator financial services industry complies with is a number of industry associations. Among them are credit card corporations and the National Automated Clearing House Association.

State governments

Finally, it is vital to remember that fintechs operating in the US will be regulated not only by federal bodies but there are also certain government regulations for fintech. Laws can vary significantly between states and the compliance landscape is complex but some measures are being taken to simplify and rationalize the state-level regulatory frameworks, as we will see in a later section.

Get expert guidance on fintech regulations
Schedule a consultation with our business analysis team

Fintech regulations in the US

The list of major financial regulations in the US that fintechs must comply with depends on the activities they are pursuing. However, every fintech company operating in the United States should be aware of some common constraints.

Gramm-Leach Bliley Act (GLBA)

The GLBA, which is part of the Financial Modernization Act, requires all financial institutions to warn their customers about data sharing and to ensure proper protection for their data.

Fair Credit Reporting Act (FCRA)

The FCRA determines the ways in which financial institutions can collect consumer credit information, and extends consumer rights regarding access to the credit reports.

US Anti-Money Laundering regulations (AML)

Regulators of banks and financial institutions in the US established two main AML Acts in force in the US: the Bank Secrecy Act, and the USA Patriot Act. These rules also require anti-money laundering risk management strategies, customer due diligence (CCD), and other record-keeping requirements. Certain aspects of the Patriot Act deal with foreign commercial transactions.


The JOBS Act requires crowdfunding platforms and other kinds of finance to register with the SEC and FINRA. The JOBS Act sets additional obligations and requirements on such businesses, such as raising limits and making mandated disclosures.

Fund Transfer Act and CFPB Regulation E

The Fund Transfer Act and the Consumer Financial Protection Bureau’s Regulation E are two legal frameworks for sending and receiving payments. They specifically require financial firms to correct erroneous wire transfers.

Securities Act and Exchange Act

The number of fintech companies using Initial Coin Offerings has increased (ICOs). The treatment of these activities has been controversial in the US, but precedent has now been set with what is known as the Howey Test. This test determines the legal status of the ICO and, if it meets the threshold requirements, it will be subject to the Securities Act and Exchange Act.


Violations of the CAN-SPAM Act, which governs commercial email, carry severe penalties. The Act stipulates what must be included in commercial communications and allows recipients to request that you cease sending them emails, among other things.

Despite its name, the CAN-SPAM Act is not confined to spam emails. The statute defines this category as “any electronic mail message the primary objective of which is the commercial advertising or promotion of a commercial product or service”, which includes email marketing information on commercial websites. Emails between companies are legally considered the same as any other kind of communication. That means you can’t simply send any email — even one promoting a new product line to your old customer list — without first double-checking to be sure you’re not breaching the law.

The future for fintech regulation in the US

As is the case in almost every country worldwide, US regulators have been slow to adapt to the huge changes brought about by the rise of fintechs, and there remains a knowledge gap between regulators and the businesses they are attempting to regulate.

However, the regulatory landscape is changing and the fintech trends for a new era will be more and more regulated. Lawmakers are coming to understand the specific nature of the fintech sector, and there have been attempts to simplify the byzantine legal framework in order to encourage growth.

Better state cooperation

Several states have begun cooperating in an attempt to reduce complexity around state-by-state regulatory requirements. Successes and failures of financial markets regulation in USA gave regulators the opportunity to agree in seven states to recognise each other’s findings when assessing license applications, removing some of the burden of state-specific compliance.


Several countries have established “regulatory sandboxes” to enable fintech businesses to experiment with minimal intervention from authorities. Financial regulators in certain countries, such as the UK’s FCA, allow fintechs to test their products on real customers.

No such framework currently exists at the federal level in the US, but there have been attempts to establish one; notably the CFPB and Treasury both published 2018 reports including proposals for establishing sandboxes. These tools do exist in some states: Arizona passed a sandbox law in 2018 and Wyoming followed in 2019; meanwhile Washington DC is actively considering such a law.

AI Regulations

Biased algorithms are a major issue in AI that must be addressed. This bias is detrimental, particularly in hastily designed systems: audits of face recognition systems repeatedly show racial and gender bias, audits of credit screens show that they are biased. When markets are defective in other ways, the most vulnerable are eventually victims — realistic deep-fakes that vulnerable populations do not realize are AI-embedded.

In January 2021, the United States Congress enacted the Defense Authorization Act. The federal government’s National AI Initiative Office is in charge of ensuring that all government departments, public organizations, and private firms collaborate on AI. The federal government’s research, education, and training programs for AI personnel are shared among departments. There will be representatives from the Departments of Commerce, Energy, and a National Science Foundation present. AI frameworks, new technological standards, and trustworthy recommendations are created by the Department of Defense and the National Institute of Standards and Technology (NIST). To create AI that everyone can trust, one must first agree on how it should function in terms of privacy, security, and explanation. Case studies of how effective AI frameworks have been implemented can assist corporations and academic institutions in meeting international requirements.

Blockchain, Smart Contracts, and DeFi Issues

The United States seems to tackle blockchain and DeFi use cases in a highly unique and distinct manner. The remarks of regulators that clarify the regulations assist developers in succeeding without having to spend too much to obey the rules.

The conditions of a smart contract cannot be modified once they are entered into the protocol. This makes it more difficult for courts to intervene. A court cannot require a software to rewrite itself in the middle of a financial transaction.

Consider a conflict involving digital assets. What if the digital asset does not belong to a person or company that may be sued? If the smart contract code is designed to assume possession of a digital asset, it will only do so in accordance with the original smart contract rules. If the asset is subject to a court order requiring it to be transferred but the smart contract does not contain code requiring it to be transferred, the court order will be “null and invalid”. A court cannot amend the conditions of a smart contract since it is digital. It is not like a traditional bank, which must adhere to a certain portfolio. By court order, the assets of a bank may be transferred to a receiver or trustee.

Rules for smart contracts may be difficult to enforce. Because blockchains are immutable, smart contracts cannot be changed or canceled once they are created. Users of the DeFi protocol should not cease utilizing the system just because its inventors are being sued. Former SEC Commissioner Quintenz projected similar issues in 2018, claiming that smart-contract developer restrictions are useless since end users may continue to utilize the technology despite the prohibitions. Because of these barriers, smart contract creators may only be held liable if they knew or should have known that US citizens would use the code in a way that violated CFTC laws, such as for unlawful gambling.

Future of Regulations in US

Future fintech legislation may revise prior standards, support self-regulation, or embrace regulatory sandboxes. Consider how the SEC intends to define “exchange”. After considerable debate, the SEC ultimately admitted in January 2022 that technology advances and new ideas had transformed the way securities markets connected buyers and sellers. Investors may avoid standard exchanges, which only supply firm orders and matching algorithms, and instead connect through Communication Protocol Systems, which match buyers and sellers of shares via protocols and non-firm trading interest. Buyers and sellers may connect via established marketplaces enabled by communication protocol systems (SEC, 2022).

The word “exchange” now includes Communication Protocol Systems as a consequence of the SEC’s broadening of its regulatory framework to cover DeFi protocols. Any protocol that enables transactions between buyers and sellers of securities, unless excluded, must register as a stock exchange.

Self-regulation solutions have been proposed by developers of digital assets and DeFi apps. Crypto sector leaders must collaborate and advocate for self-regulation. Crypto lobbying is in its infancy. Few crypto players actively engaged financially while the now-defunct Infrastructure Bill was being negotiated in the autumn of 2021. In 2021, Coinbase, whose business model would have been damaged by the measure, spent $625,000 lobbying. The Blockchain Association, a member-driven crypto network policy organization, also supported the Infrastructure Bill in comparison to Meta, which spent $19.7 billion. The Blockchain Association includes a wide range of activities and industry leaders.

The Commodity Futures Trading Commission’s (CFTC) purpose is to improve the stability, transparency, and development of the American derivatives markets. DeFi has the potential to expand into a broad range of sophisticated financial instruments aimed at maximizing their own profits at the cost of others. The CFTC created LabCFTC in 2017 as a regulatory sandbox enabling fintech firms to test their ideas without fear of consequences. LabCFTC’s objective is to improve the CFTC’s engagement in fintech developments and to advocate for their responsible application. Because LabCFTC hasn’t been updated since 2020, comparing it to other international organizations with comparable purposes may provide insight on why it hasn’t been effective. Because of concerns about consumer risk during the sandbox phase and the anti-competitive repercussions of confining the regulatory sandbox to a limited few firms, the costs may exceed the advantages.

Need help navigating Fintech Regulations?
DashDevs has 12+ years of experience in this field in US, UK & MENA regions.

How do I comply with US fintech regulations?

Once you decide to start a fintech company, there is no single answer to the challenge of compliance. As we’ve already discussed, every business will be subject to their own specific regulatory obligations. However, there are some simple steps that should be considered by every fintech looking to operate in the US.

  1. Seek advice before you do anything else
    It is absolutely crucial to seek independent legal counsel regarding compliance issues, and this should be done before any concrete decisions are taken. Speak to specialist lawyers well ahead of time to understand what regulatory burdens your business might face and how you can meet them.
  2. Hire wisely
    Compliance should be embedded into your business, and this requires dedicated talent. Make sure you have specialist knowledge on hand from the outset, and that it is treated as a core element of your activities.
  3. Don’t underestimate the resource requirement
    Compliance is not a one-off task. Fintechs operating in the US (and, indeed, in almost every other territory) should prepare to deal with compliance as an everyday issue. Make sure you dedicate sufficient resources to these tasks.
  4. Consider partnerships
    In some circumstances, it may be sensible to enter into a partnership with an existing business that has already secured the relevant licenses. Before doing this you should, of course, think carefully about the terms of any such deal.
  5. Look ahead
    The regulatory environment for financial technology businesses in the United States is changing, so the industry as a whole must be watchful and prepared for any new regulations that may be imposed.

DashDevs can help you build a great fintech product. Our dedicatedfintech consultancy provides end-to-end development, security, and advisory services. Get in touch today.

Share article

Table of contents